What are SSL/TLS Certificates? Why do we Need them? and How do they Work?
ฝัง
- เผยแพร่เมื่อ 4 ก.ค. 2024
- In this video I explain the purpose of TLS/SSL Certificates, why did we invent them and what are their limitations. This is what gives you the green padlock on your browser which indicates you have a secure website.
🏭 Backend Engineering Videos
• Backend Engineering (B...
💾 Database Engineering Videos
• Database Engineering
🛰 Network Engineering Videos
• Network Engineering
🏰 Load Balancing and Proxies Videos
• Proxies
🐘 Postgres Videos
• PostgresSQL
🚢Docker
• Docker
🧮 Programming Pattern Videos
• Programming Patterns
🛡 Web Security Videos
• Web Security
🦠 HTTP Videos
• HTTP
🐍 Python Videos
• Python by Example
🔆 Javascript Videos
• Javascript by Example
👾Discord Server / discord
Become a Member
/ @hnasr
Support me on PayPal
bit.ly/33ENps4
Become a Patreon
/ hnasr
Stay Awesome,
Hussein - วิทยาศาสตร์และเทคโนโลยี
The missing puzzle in all your existing CA/TLS video was what the CA exactly does which is explained here. It takes the public key of the server and signs (generates digital signature) with his private key so that any clients can decrypt the content and verify if the public keys are the same to trust the server. Love to learn more from you. Thanks 👍
So... there one root certificate (installed in all devices worldwide) for each CA, right??
What if a new CA needs to be introduced? Or how is it?
@@cicher I don't know why my previous comment got deleted....
However...
There is not one rootCA for each CA specificly, one rootCA may sign multiple CAs.
The rootCAs are pre-installed on your OS and on Android you can view them in Settings > Security > More security settings > View security certificates; on Windows just run certlm.msc and navigate to Trusted root certificate authorities.
When a new CA (not rootCA) is introduced it can be signed by a rootCA or another trusted CA, which is signed by a rootCA or another CA, which is signed by a rootCA or another CA, which is signed by a rootCA or another CA.......etc., which is signed by a rootCA. You can check the certificate path in your browser (click/tap on the lock icon and click/tap "Connection is secure" and (Android: Google Chrome) tap Certificate information (the you can see the path in the drop down menu at the top) or (Windows: Chromium Edge/Chrome) click the certificate icon and tab to certificate path).
When a new rootCA is introduced worldwide the owner of the rootCA pays $ to the OS developers for including the rootCA in the next update.
And this is why (except for Let's Encrypt e.g.) SSL cerfiticates usually costs something and because the CA checks the identity of requestors and enforces the policies given by the CA. However, often if you buy a domain, in my case, from IONOS.de a signed SSL cerfiticate for your domain and subdomains is included in the price tag (as well as an email-service).
Instead of doing that you can create your own rootCA and install it on your devices, but of course this rootCA wont't be deployed worldwide or at least it's very unlikly if the you are not a major OS developer such as Microsoft, Google, Apple or Linux Foundation. Also on Android Deviced without root you will see the a warning "The network may be observed".
And that could be true, because there could be a man-in-the middle attack. In a enterprise environment a proxy filter which is capable of https is exactly the same.
The actual website has a encrypted connection to the proxy. The proxy decryptes the https to http, filters/alters the unencrypted data, encryptes back to https with it's own certificate, which is signed by a rootCA, which the company or a hacker installed on the client previously.
On Android the rootCAs, which are pre-installed by the developer, and the addicional rootCAs, which are installed by the user, are in a seperate directories.
To copy user rootCAs to the same directory as where the pre-installed rootCAs are stored, you need root-access to do so.
Ahhhhh! Thank you! You can create your own rootCA. Most of the explanation with SSL explains how it functions on public facing websites. I think creating your own rootCA is how you can use SSL in your own private network?
This is what I’ve been wondering.
This is the best explanation that I've seen about keys and certs. Tanx Man!
Man, you are genius!! I’ve spent almost an hour checking other videos about ssl but couldn’t understand it completely. But the way you explain it, it’s super clear now. Thanks a lot
I understood public key cryptography, but was looking for how these certificates are exchanged. This explanation was spot on, thank you so much.
This is by far the best explanation I've seen on SSL certificates. Thank you!!
Wow, thank you! glad I could help
I was going to mock your comment because in every video there's a comment saying exactly what you did. After watching the video, yes this is the best explanation by far 😀😀😀
I like your personality and your way of teaching. Listening to you is entertainment and learning at the same time. Keep up man ❤️
really this is a great explanation
but at 11:45 you say that the way of verification is that it encrypt the certificate with the certificate authority public key and check if it output the same signature, I think this is not a way of verification as if the signature is the encryption of the certificate using the public-key then any one can fake the certificate easily
I think the only of verification is the other way you mentioned in 11:54 which is decrypting the digital signature using the public-key of CA which result in a hash then compare this hash with the hash of the content of the certificate and if it match, then everything is correct
I think that I read before that in digital signature, it is created by encrypting the content using private-key and other people decrypt it using the public-key
I've just watched this video ten times just to enjoy the stuff. Really cool way of teaching.
Really helpful lecture to understand the fundamental of exchanging the keys and how do they encrypt.
"take my public key beautiful" lmfao
kinda cringy lol
This left no questions open, amazing.
This explanation was exactly I was looking for. Thank you!
Oh man !! You just made it perfectly simple. Enjoyed learning.
I just want to say, i love your energy!! Great video btw!
Thank you! Just what I was looking for :)
This is a great video. Understood everything!!
Very nicely explained. Thank you Husein.
Thanks a lot for this video!
This is awesome, thank you. The visuals were helpful
Nice video Hussein, Thank you!
love the knowledge you have shared, it was extremely useful and it had a bit of humor in it to make the watcher feel engaged
Thanks alot for the content youre puttting out man. Really appreciate it captain
.
Thank you Hussein for the great explanation. Finallyyyy I got the concept
Thank you Hussein, I am an IT student and this video helped me so much !
Excellent explanation!
this video is really help,thanks a lot!
This guy's voice is perfect for teaching. So relaxing and calming :)
Wow what a clear insight.when i search for this in youtube i got a video a guy in dark light and writing in transparent board but it was nothing near to your videos but his video got 100k views wondering comparing to that your content deserves 1M views. You’re missing some TH-cam strategies
this video is a hidden treasure!
I was really struggling to understand the chain of trust concept. Thanks for this wonderful explanation.
Tq bro I love the way u explain the things it is so interesting..
Excellent Concept..
Well explained Hussein
Fantastic useful content!
Glad it was helpful Magomed!
Best explanation ever
Such an amazing video Hussein. Thank you so much for a fun and interesting way of teaching this. Liked and Subbed :)
Really great man
Awesome video man
Great job! As always I’d say... you deserve a lot more than 30k subs!
Exploited89 thanks!! Am soo grateful To have 30k couldnt ask for more awesome subs
totally awesome !!!!
Excellent !
This is the video that I will watch when I need to review TLS certificate.
thanks bro for the explanation
Here is my comment, son.
This is a great video, thanks
Hii Hussein
Thanks for all the videos you make and share ur knowledge with us. i have gained alot of knowledge from your videos ❤️❤️❤️
I am little bit confused on cipher suit which is exchanged during SSL or TLS it will great if you can make a video on how each algorithm in cipher suit syntax helps in establishing a secure connection
Lots of love from India ❤️❤️❤️
jain kapil thank you Jain! Great idea
Nasser, you're great
Thanks!
U made my day!!!
❤️
PERFECT!
I believe this channel is going to become the next Khan Academy for technology
Thank you
You are the best
wow what an explanation
This entire process reminds me of the mid to late 70's. Every software developer out there was developing software by throwing software spitballs at the wall to see what would stick. The game was to capture market share by being first to market regardless of how good or bad the software was, and then go back to fix all the bugs after release. The product did not matter, you simply had to get sufficient market share to control the standards and hence the licensing. It happened time after time. 50 years later and it's still going on.
I wish you create more explaining video on how this all works on text and symbols level, what adds to what, and extracts from what
Your key-drawing skills dramatically increased through the video!
Trying to get better still! Haha thanks though
@@hnasr who is this dangerous hacker, Karen, btw?
xD u made my day man, thanks 🤣
Que vídeo incrível! Aplaudi por R$ 5,00 👏👏
❤️❤️❤️
Thank you for your video. I have some questions:
- Does the server send the certificate for every session?
- Does the server asks the CA for a certificate for every session? Or does this happen only once?
- Can't Karen get her certificate signed by a CA using the public key of the server? Because she has access to it since it is just send over?
- Do I have a root certificate on my PC for every website? And does it expire? I've never had to renew one? How does this work?
Or am I totally wrong here?
legend
As you mentioned in the video the public key of a server encrypted by CA's private .So the client who already have root certificate which include CA's public key can decrypt the certificate send by the server . Is it possible that publick key can decrypt the data which was encrypted by private key ?
The certificate authority uses its private key or public key to encrypt / sign the certificate?
Your video was amazing. I understood it all but got a little confused at the end where the client has to then verify the CA's signature on the servers public certificate and then eventually makes its way back to the root certificate. I'm not sure I need to know either but still understanding the rest was important i.e. going from RSA to then signed certificates.
Hi Hussein , in love woth your content...I'm watching your videos on daily basis 😂💯 ....had a question, is SSL getting outdated or being replaced by TLS? Or they both have their own roles?....Love from India❤️🙏
Hi Hussein, i am confuse since i am new at this and i already made my server secure with ssh with putty and what i don't understand is does making a certificate replace replace my ssh keys with the certificates keys from certbot? I have a hard time setting up my vps with 3 domains under a single wildcard certificate!
you should make nft with those beautifull drawings of yours. Thanks a lot for the explaination
Hey Hussein... can you come up with a video on the details of the certificate itself... for example whats an Authority Key identifier, SCT List etc ... guaranteed atleast 5-10 views from my end and a like
mass thala..
Hi bro
Ur tamil
yes from chennai
Aye yo you’ve gotten a new subscriber😃
Btw we share the same name😝
vert nice explanation. Τhe only thing I would like you to make clear is, where is the public key of the Certificate authority stored, and to whom is avaliable. The same for root authority's public key. And why it's not easy for someone to pretend it's the root or the CA it's self?
Root CA is where the chain ends, and its public key is stored/hard coded in the browsers or in your device by the device's manufacturer.
I was following until you mentioned the green key the client has. So how does the client get the green key? Is that something automatically included in every browser? and who gives the server their public and private keys. Does the CA provide those with the certificate?
if the certificate is my Apple ID thats considered private right ?
Could I ask, if you are a website such as ebay where your actual application requires a certificate, is the point of that cert to ensure -- as a customer -- that you are genuinely communicating with ebay and not an imitation site?
Correct , without certificate there is no way we know that someone in the middle has intercepted the traffic
Can someone please explain what prevents a hacker from faking a certificate chain? Why can't I locate the verisign root certificate under my computer, and create a chain with my keys, the target domain and a hash function?
Your free content is also great like your paid one
What happens if an attacker intercept the public key of server before reaching certificate authority and sends his public key to CA.
Good question, during the certificate creation the server establishes a secure connection with the CA first during which CA sends its certificate to the server. The server will securely send its public key in that secure connection so no one can intercept it. If someone tries to intercept they need to prove that they are the CA by providing the CA cert which is not possible
Hi great video! Question- taking a simple example of accessing a new website, are you saying that as part of the negotiation and connection establishment my device will be communicating with 2 different hosts primarily: 1)the web server itself and also 2) the certificate authority- as part of the process to validate the authenticity of the certificate the web server claims is theirs? then my next question is who are the certificate authorities? are these just middlemen companies who have followed some red tape to become a qualified CA and we all just agree that we will trust them since its their only job to validate certs? so basically just trying to understand who the CAs are. would it be a true statement to say that if potentially this trusted CA company decides they want to intercept our traffic, they could do so since they are the ones who say whether the cert is legit or not
* Client connects to web server
* Web server responds with its certificate full chain
* client verifies the certificate chain locally up until the ROOT cert which should exists in the machine/cert store. (Client doesn’t need to contact CA for that)
That is the happy path, there is however a case which a certificate isnt expired but has been revoked (eg private key leaked) in that case one solution was CRL (certificate revocation list) a list of all revoked certs, that was bad because the list grow very large and hard to maintain...
So they came up with OCSP (online certificate status protocol ) which the client must ask the CA to see if a certificate is still valid and not revoked. That is when the client connects to CA. Obviously people didn’t like that because you are leaking the sites you are visiting to the CA..
The other better approach is OCSP stapling which let the server asynchronously ask the CA on the backend and staple and sign the certificate with date proving that it hasn’t been revoked..
So in a nutshell nowadays you only connect to webserver but depends on the revocation protocol you might connect to the CA
@@hnasr thanks! that mostly makes sense except step 3. i am really confused about what the client is able to do in order to validate the full certificate chain is authentic. is it built into the browser? so when i install chrome for example that comes along with the ability to validate certificate chains? also, locally... root... any chances of a video on all of this part? or is it already on this video and its just all over my head yes that is more likely
@@DrHoops21 I asked ChatGPT how does Chrome browser validates a Certificate Authority. And here is the response.
"When you visit a secure website, the server presents its SSL certificate to your browser. Chrome checks if the certificate is issued by a trusted CA. It does this by looking at the certificate chain, where the website's certificate is signed by an intermediate CA, and the intermediate CA is ultimately signed by a root CA. The root CA's certificate is stored in the browser's trust store."
I'm a bit confused - i thought symmetrical was when you only used a private key, but here you say they use both private and public keys and that it is symmetrical?
Private public key is asymmetrical, using the same key to encrypt / decrypt is symmetrical.
This might help th-cam.com/video/Z3FwixsBE94/w-d-xo.html
Me on tinder- "Take my public key beautiful. Take it."
Ubuhlungu sbale !
😂 Keep going explaining things this way
here's my public key SON
Yeah I actually really need to understand what a certificate is.
01:59, very weird looking key. 👀
Nice explanation but i didn't how server verify itself to CA since server is sending public key to CA and Karen might be inbetween server and CA and Karen might send her public key instead of servers public key ? Digital signature by sending private key of server will verify that its a legitimate server....
I totally loved the explanation
but I suggest you the find any other app so that you do not open your side toolbar multiple times. Its distracting many times.
Ok, but then what if I issue a certificate for one of my websites, but then man-in-the-middle a user and say like "Hey, I'm Google.com and here's my public key. Don't trust me? Look it's signed by those CAs!" and just send them my website's signed public key. How will the user know that even though this key is signed, it's not for google.com?
It won’t be trusted by your device because no trusted CA will ever sign a certificate to google.com to you without proper domain verification.
It did happen with Diginotar but that CA got banned immediately
i need SSL because chrome uses HTTPS for default connection
Hmm I was totally confused! Too much back and forth changing colours. Going to have to rewatch again
good stuff.. but too many times color changing was annoying for me...
Wish @ 193K subs flow diagrams were drawn a little better. Also other vids from Hussein are better (less cocky).
So... Client has to install the Certificate from the Server... So that it knows the request coming from the right Server... Am I correct?
Correct, most of the time those certs are preloaded with the OS cert store. Recently browsers are also coming up with their own cert store too
@@hnasr Okz thanks Hussein.. Actually we have a custom cloud application which calls a web server.. and we are making Api callouts, from code, not from browser. So it should be the same concept for that as well..right..
It's usually Alice, Bob and Eve in Cryptography.
Correct, but this is not a usual channel :)
@@hnasr Yeah, never heard a more boring thing than Alice and Bob!
ok, I understand ...... they make very complicated communication between public computers and servers ...just to make a money ...from nothing.
Is not signature = server public key + ca public key ?
You say signature= server public key + ca private key
"Take my public key beautiful"
No Karen was hurt!
Here is my public key SON.
Why don't they just send a PDF instead of making me go through all 7 levels of HELL ?
we live in a world full of keys